After registering with SSO, click the “Edit” button for the vCenter Server.

Enter your vCenter server details. The tick “Modify plugin download location” is only required when the NSX Manager is behind a firewall type of masking device (don’t do that though). Also accept the SSL certificate when proceeding.

When that’s done, the Lookup Service and vCenter Server status should say “Connected” and you should have the “Networking & Security” plugin registered in your vCenter (the last one might require logging out and back in again).

You want to configure a Syslog server so the NSX Manager can push its audit logs and events to a central logging repository.

I am utilising vRealize Log Insight.

Log into the NSX Manager appliance webpage with the Admin account.

Click the Manage Appliance Settings tab.

Under Syslog Server click the Edit button and enter the specific details for your Syslog Server, enter the 514 as the port and UDP as the protocol.

Click OK.

Implement and Configure NSX Controllers

Requirements:

NSX Manager registered to vCenter server.

NSX IP Pool for NSX Controllers created.

Deploy the NSX Controllers always in an odd number to avoid split-brain situations. Deploy either 1 (only in a lab!), 3 (recommended), 5, etc., based on scale. Current scaling of NSX can be handled by 3 NSX Controllers. After deploying manually set up DRS anti-affinity rules to keep the controllers running on different ESXi nodes.

Deploy NSX Controller(s):

Navigate to Networking & Security and then the “Installation” menu.

Click on the “+” icon in the “NSX Controller Nodes” view to start the deployment procedure.

Fill out the required details; which vCenter datacenter, cluster, datastore you want to deploy on. Select the VM management network portgroup, the IP

Pool and the password of the controller.

Click “OK” when satisfied with your settings to start deployment.

Repeat step for the remaining NSX Controllers you would like to deploy.

Exclude virtual machines from firewall protection according to a deployment plan

By default, the NSX Manager and NSX Controllers are automatically excluded from the Distributed Firewall (DFW). Any Edge Service Gateways (ESG) are also excluded when they are deployed.

To add the vCenter Server and the external PSC to the exclusions list:

Log into the vSphere Web Client.

Click the Networking and Security icon, then click NSX Managers

Select your NSX Manager and then click the Manage tab

Click the Exclusion List tab

Click the + sign to add a virtual machine to exclude, select your VMs and then click OK

Note: After excluding a VM should you add an additional vNIC to the VM it will automatically be protected by the DFW. To exclude the vNIC you need to remove the entire VM from the Exclusions list and re-add. (or you can reboot the VM).